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VVi NDM E % I S J O r H L CLARIS 

I v Cjne h % Vi t xidoO) \ nx s c r *bt se cctncs/ •jra^inji . t ^.e-s *v fc^ct o ^ „' 
of \ totiv.a'e i 3 ^,) Cd >o? V pi *.>\1y ot jissts ^ -> ci ~o:n"r,MPL 

a * v men 3 \ _o.ii g reu .o cie * rst i .ta rehtec tr 'ho vUvsaie a-chv?' o<* a*^ 
st co d^ specif c t<t emtJvS of i o < j v»v H ot .j>cis to \c.^ a fl ir^ ^ ot pses 
i\v v sons Ox' uH 'OS, o app ^Yio, *r\ 

? iu. t.hecvt; i', v-onuvan ^aivr v\rf-> toe s.oi v>,. > aj t x h^att " and i">e ' s* ne^orv s^s 
ruies cnecker configured to: 

ox vs. at k -^i vj ^ », .cry, sheen) t ie .. >. cn, ]-> ge .'s,0 w s e->po i-c to ar sopi * 

'e^e vod ons oot of tre p 1 % ot use's* ^ tb wso^v *o the soUh,. >e -c > ^ oo ard 
t( mk' t n wc s iio sot vw~e f-pphcatio^ i re.oonsc t ^e juuv vshe < j n 

*he .ic sciNje > ^ereratef. baaed o 1 >. e q,. en- o t he seam J ar a 

said message provides instructions to the software application regarding emitiements of 
the one of -he plurality of users to access at feast one of the plurality of preset functions of the 
software application; 

the reap eels ve first data for each sofhsa re application inciud es ai > identificatio n of 
hierarchk-aliy arranged funct ions assoc iated w ith that soft ware application: an d 

an entitlement of the one of the plurality of users to one of ihe hierarchjcajlv; arranged 
tuncjjpm automatically applies t o functions th at are hierarchically subordinate to the one of the 
plurality ol 'liierarchicaliy arranged funcuons. 

?. (Original ) The system according to claim 1, wherein the first memory is a 
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relational database. 

."> (?re\ ious.y Presented) The system acordmg to d<iu\ I \% heroin the software 
application us implemented on one of a mainframe a f id a distributed computmg system 

4 (Original) The system according to claim I , furl her comprising 
a second memory configured to vStoie proprietary data useful to the particular software 
application, and 

wherein said message psowdes information to the particular software application regarding 
auirumzation to output portions of the proprietary data 

5. (Cancelled) 

6 '-A en*" \rner\d} \e a\ ten ccosonv io <Ju\r ^] - Iv^ct 

it t*es vcmj, -es n ,o t un sei^ t .o + x . e o* the u^e^ .ru dL uru to eas feo^be 
C c" oris c-secuied wui" he \n tv,uVj s* tware "ipnottoi ma 

n r he eessage r^dlo to that i te ustA a»th w ukv ~» ecctbs t a. c si . , 
function. 

? V »J .yidl) TYe \j> c -n <utc ding *<- dzsn \ w ,e*em iK < fea inj 
h*e ai^:\t,a v <> xed V c, o-i- k 1 , oe <u .Uvrs v ^ons, ,r d vi >-sub ivk ~s 

^ tOri, ? f lii; v^ter^wo a'ng< u<v ^ 1 nbe'cn t * ro^peUAe f, >♦ Cau .o 
e< Ji soltwase ipnhv<-\on inc s , Ce:> ui u<c n< ".at or* of ca a ides cssooateo h ^ that softv aie 
application. 

9. (Original) The system according to claim 8, wherein the query further comprises 
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m*unra«\n re ang t -one eftbo .so*s -didao e to r legist one of me <^'a tYs ^ccatcd 
\s o * ie p tu^ a, sc<vv> e app ,uit on arcs 

■s^ere n the r cv>age 'e ^us to ope t »c - . m k r.'c+vi to icctsb. it a* leas tys fie a 

i (Origsrd) E e s^vv^i dtco.d \ a toda* r \, wvosv. \iz a ic-. vd eAe, ss Kifhu 
configured to: 

s>e\t: ale . e re^age Iwd o'Moq els data ^ lie \ { V d s<a 

V C\ .en v Ar cwo) T ">e ^ ot^r~ accer Mg to daun ! vsae^ ! 
J>e respev* Vv -.eco^e" cata tor ea^i Kc i sois inc. i ki- < . e~b o* e o e f *oir ronog a 
p.jrv \ ox,oos ?ssocs<*t,c vm \t ••at.^u at ws-e and 

. *t re^poo-v a fa <t hia ?oi cat j o<\* a.s. dp ^at'O', ,e ucev 

m iilviiijk.-? or «'* >f« ! a-fc^eutl\ a-Rf. ig* J a iC-o.v- aw* ^ ed hi> i t*v **e£vrt--e 

a ac s f r ^ 'or ot \% b ot iho 1 1 a, t\ o~ roles ib touted .o a^es'. e<uo <V fae 
functions. 

*~ (O-'gr-jl) "ae vs.ur according 'o uhce" 

tbo c uers frciudct zi .d^^ic^'or oi a .soeofie one of m !.sars and a see., fc of t.ie 
avcuo f ast-«VMtee " ;ae pa.ucular *>o*Hsa5e application, 

tae rales cl ecke: is fjnhci O'l^fti^ed L; geae^He t.se mvssfsgc bs«ra or. lie qocv, t' e 
fr aata anO ; i word cita, ^nr 

Lie irt&sago jats fie v;ui cnior ^of ware appac ifoo •-ending ^iiat speuaa iter's 
wt e'xserr to saces*-? t ut ^.xcific f ncuoo 

H v O-sginaI) T'v -sv^m aceosdwg to LdiTH 2 v,h„'cu t'v n*.cs thccs.t. .i ^ d-ita 
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rtl.uL,*'!^ t t st^ia ^ 1 ^h.L sjtcific i.sci t s ioi tristle', ace^s *ia m cc u h numr 

1+ 'G g sal v I heater- d^t^McIi r 4 v ere ^e rcspec ^escu.i iv\< 
to « cL oi * x aseis m ues^r icee-s c\el t< m anwi. a n & it\o o^foVJs <svt. tuo 
win * ^ paJx.< . s^e itu' s c\ ok' eic * xvika rr -uiJho 'a. ! i« o th n -^o'o t^cr o 
s^lss " v.p ca a ^nh 1 ne «-ueid r c^rrs iru 

t!\ ^ <.s v « ~\e c s 1) ( ie~ v,o s f g a ed \ gtne^e the s ie<-v gs, <rwc on Jk ,\ eiv > e 
first data and the second data, 

1.5. (Original) The system according to claim !, further comprising: 

an administrative application configured to facilitate administration of the first and second 

data. 

1 6 (Previously Presented) The system according to claim ! x wherein the 
administrative application is further configu ed to manipulate the first data according to which of 
a plurality of clients the plurality of users is associated with. 

17. (Original) The system according to claim 15, wherein the administrative 
application is further configured to manipulate the first data according to an identity of a 
particular one of the users. 

1 8. (Original) The system according to claim 15, wherein the administrative 
application is further configured to manipulate the first data according to which of a plurality of 
roles a particular one of the users is associated with. 

19. (Previously Presented) The system according to claim 15, wherein the 
administrative application is further configured to manipulate all the first data relating to the 

-5- 
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software application, 

21 'PiewusK P;o oneds Th*. system acco;ding to ckvsr 15, \vre~ein the 
ae^rr^raive ap phcattoins iLrtke; configured to "naripulate all ire rrs: tUta -elating to one of a 
rluialnv of functions assoac>;cd wttu the sorlvvtic apphcatior 

2 ' (Originals i 'iC svstor.i accord-rig to c'ai:n 1, further co;uprs"\g 
an auditing app'.catjor. configured to lactate auditing cf the fn>L aro. second data and 
any adc ; :ionai Jala ueneia*ed by the rules checker 

22 (Oi-.ja.iai) The s> sKns- <»ea>uiiru? to dakn 2 ! . u h=i e-n ihe aue.nng replication js 
fur the; corsfuurcc" ;o provde a history, upor- T ei;uc;?t of messages forwarder! b\ the rules 

checker. 

23. (Original) The system according to claim 22, wherein the history emphasizes those 

messages related to a failed attempt to access the particular function. 

24. (Original) The system, according to claim 22, wherein the auditing application is 
further configured to provide a history, upon request, of changes to one or both of the first data 
and the second data. 

2^ ^Kv.rs sH P-tsc i>ed) '\„ T et\x1 "o. p\> a,^ anphcMor e\t tecjin\ <rd 
metnod comprisma the steos or: 

stor r xli fs st , id isu io , soft vs .re ^ ^ J( .atfOh 

- ion 't; set. " l. dai ?pec.rv - g erth.s merit o * e<v ~ o* i ,> 1 , ». , use-s +<■, ^cst- a 
p ! ai?lii\ oi p, ese< i rt ons o' t^c sot* atiC arp* citto - 

-ecoiving a \m\ x\ herein <ee r,ut \ k gorer^teu >n i^ponst «o ,^ 1 1* cm ont ci t ie 

-6- 
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plurality of users with respect to the software application; 

in response to the query, forwarding a message to the particular software application, said 
message being generated based on the second data and the query, and providing instructions to 
the particular software application regarding entitlements of the one of the plurality of users to 
access ft-fimetteftBt least one of the plurality of preset functions of the software application. 

26 (Original) The method according to claim 25, further comprising the step of. 
generating the message based on the query, the first data and the second data. 

27. (Original) The method according to claim 26, wherein the query includes an 
identification of the particular user and the function. 

28. (Original) The method according to claim 25, wherein the second data includes 
for each user, one or more of an associated user tt\ client name, role, and business level. 

29. (Original) The method according to claim 28. wherein the first data includes for 
each software application an identification of associated hierarchically arranged functions and 
characteristics of those users authorized to access each such function 

30. (Original) The method according io claim 20, further comprising the steps; of: 
correlating the first and second data to determine authorized functions, said authorized 

functions being those particular functions of each software application which are accessible by a 

specified user; 

generating the message based on the query and the determination of authorized functions, 
wherein said query includes an identification of the particular user and the functi on. 

3 1 . (Original) The method according to claim 28, wherein the first data includes for 
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each software application ar identification of associated data fields aad characteristics of 
entitlements of users to eacrt data field 

32 -On^ii-ai) The method according to claim 31. further composing the Vieps of 
contlaiing the first and second data to de; engine authorised data field operations, said 

authorized operations be:::g fwe particular operations of each data field which are permitted to a 

specified user; and 

generating she message based on the query and the determination of authorised 
operations, u herein said query includes an identification of the particular user and of a 
predetermined data Held 

.1? (Pre\ icusiy Presented'* The method according to claim 2<> further compiling the 
steps of: 

sto sng props ietar> data useful to the sof ware application, and 
storing fluid data relating U- accessibility of the proprctaiv data 

(Original i The Ticibod according to damn 33. turthc: comprtM ?g the steps of 
correlating the first, second and thud data to deKnome authorized data accesses, said 

authorized data accesses being ihose particuiai data accesses of the proprietary data which are 

permuted to a specified user, and 

gene-a^ng the message based on the query and she determination of authored data 

accesses wlieicrin sa:d query includes? an identif cation o* the particular user and of predetermined 

proprietary' data. 

'5 (Original) fhc method according to claim 2*5. furthe compnsing the step .*f 
creating a log cimy relating to the message if the message mdicates instructions which 

-8- 
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prohibit the particular software application access tc the function. 

36. {Original} The method according to claim 29. further comprising the step of: 
administering the first and second data by manipulating one or both of the first and second 

daSa according to which of a plurality of clients the plurality of user;, is associated with. 

37. (Original) The method according to claim 29, further comprising the ssep of 
administering the first and second data by manipulating one or both of the first and second 

data according to the identity of a particular one of the users. 

38 {Original) The method according to claim 29. further comprising the step of: 
administering the first and second data by manipulating one or both of the first and second 
data according to which of a plurality of roles the plurality of users is associated vvith. 

39. (Previously Presented) The method according to claim 29, further comprising the 

step of: 

administering the first and second data by manipulating all the first data relating to a 
specific the software application. 

40. (Previously Presented) The method according to claim 29, further comprising the 

step of: 

administering the first and second data by manipulating all the first data relating to one of 
the plurality of preset functions associated with the software application. 

41 . (Currently Amended) A computer readable medium bearing instructions for 
providing application-level security, said instructions being arranged to cause one or more 
processors upon execution thereof to perform the steps of: 

.9- 
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v v r ^ fk-,t care id \t \ a ser* £ , v son, «u << i 

stor„? l, -co -c d .V spa o,vg u is V ncn + <» i + e<i~h of i ~^L? , \\ < 1 <. s ei-» to i 
"i*-ahiv >'f p.csct *l aci o h o the so**v*?ic aeehcat or 

f e.ci\ tp a ei ef> ure^i * t se < s at \ 5^ gene a v e 1 »r ^sponse .o an / p- . ,cce \tx en 
ore ji in, 'I-'-, n/i-'t •> \v<n rt,*x.u t. s»o Vv^'t «tpp crun 

32 es*\>ri<'tf the v ~.r\ ftvwthz-g 3 .lessee e tee »or\\. e np,\at o** s c le 
b*, n«, ge? cili*lJ bise* o' 11 e e*~v aee secei.t. dan < ad p^oss J ng iV^'y^to re 
soP\n .'sj ~y,h^toi e^air > g cnntlene its o£ loe om* 'io pi r e\ of jves u> .aess kast 
ore of t .e clan U -"ese. uectfons 0' xca o'\\\e e ^heafco > a,v - 

wherein: 

hierarchically arranged function s ass ociated with timt.soft>we apj>ij.can 

aii.emitk^-nem.ofthej^ie. i\ieUM^Mca|!VMr«Bged 
function!?..auioinatic a?ly ap plies to junctions - hat are hierarchicalfesubor^ of the 

plurality o f hierarch ically an;arigt-d iltnctjons. 

42 (Previously Presented) The system according to claim 14, further comprising, 
a non-volatiic data store Indicating a hierarchical arrangement of the plurality of access 
levels, and 

v*-:e:eh: :lu rales checker is further wonrsgured to cons-ait the oata store \U?er oeterr^rung 
the authorisation of that pa~heu ar user 

A 3 i P; cvhju,s;> Presented } 1 lie s> stem accorohng to ciairn 2 ' . wherein 1 he .tudttwg 
applicator is iurthes configured so provide rtal-t-niv data lodging and retrieval 
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4- 'Previously y i cental) 'Lhe -^su"- ixtordtrg :o claim 2, v\herev <u!\ upc^c-; to 
data v\itrn ue re aroi ai database r;e peitl r; ed m rtal- 4 inc arc the roLs chcc ss (litre* 
ujriigmed to s. se rh< eodated oata 

4^ {Paviocsh Presented) Ire system according to clam; ' ^hestm ;he parucukr 
so;h\aie aptveation ^ a siru>VrK»:i app xatvn, saiJ snnjLtion app bunion ss configured to 

orcmdc m the ecerv to the V.es checker <■ sm-uipted us>u iceni-y are a MtnJated seemed 
resource identity, 

lwu 5 'd^i s.r'1' cheAcrn ^e-^iie ~o^\es?cc j\ the ,ou,s chvxk^ .a. 
eutt tnc, e e^tnLr trts of *kc s n ater u->ei to *uu.s the s * v u atce sec ""ed ^ojeco 

4o (Lo r icr;i\ A'>u)deoi; ' he svstem aec< rdiru to civm ff:>"\ \\>je em the or on- 
<eojr» < - a rg o'ciL* e- vjus fo T tne o u ..so*- / i?^t £ dv,~nty< l.'"cc tit t,m.o,<; .o t»e*> 
4>» c t \iOk, fmtctior o opi^ta data a^cwli d ^tih toe o*jC l^o", <■ evhee^ e TCs:aac 

includes said listing. 

47. (Previously Presented) The system according to claim 46, wherein query includes 
filtering parameters such that the listing includes only those entitlements which, satisfy the filtering 
parameters. 

48. (Previously Presented) The system according to claim 47, wherein the filtering 
parameters specify one or more of a user role, a function identity, an application identity, a user 
identity, and a data access ievei. 

49. (Previously Presented) The system according to claim 14. wherein t.iie 
authorization of the particular user to access proprietary dat a depends, at least In part, on the 
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particular software application identity. 

50. (Previously Presented) The system according to claim 14, wherein the 
authorization of the particular user to access proprietary data depends, at least in part, on the 
particular function identity. 

5 I {'Previously Presented) The system of claim wherein the one of the users utilizes 
a remote system to access the particular- function of the particular software application, and is not 
signed on to the operating system based on which the rules checker operates 

52 (Previously Presented) The system of da;m 1.. wherein, 
the one of die users is an organization; and 

the second data specifies entitlements of the organization to access one or more functions 
of the particular software application, and entitlements of at least one individual user in the 
organization to access at least one of the one or more functions of the particular software 
application that the organization is entitled to access. 

53. (Previously Presented) The system of claim I, wherein: 

the one of the users is an organization having associated proprietary data:. 

the second data includes an access level associated with an individual user within the 
organization, wherein the access level is selected from among a plurality of access levels arranged 
in a hierarchical structure, and specifies an authorization to access at leas! pan of the proprietary 
data associated with the organization; and 

the individual user is entitled to access all data accessible 10 an access level hierarchically 
subordinate to the access level associated with the individual user. 
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54. (Previously Presented) The system of claim 53 : when.ii mere than one 
hierarchical structure is provided, each of the more than one hierarchical structure is associated 
with a function of the organization, an organization structure of the organization, or geographical 
regions. 

55. (Previously Presented) The system of claim 53, wherein the access level is 
assigned to the individual user based on the individual user's role within the organization or the 
individual user's job function. 

56. (Previously Presented) The system of claim 1. wherein" 

the one < f the users is an organization having associated proprietary data: and 

the second data specifies an authorization granted to an individual user of the organization 

to access at least part of the proprietary data associated with the organization, based on a function 

to be performed by the individual user. 

Vi { Previously Presented) The system of claim 9, wherein the message includes thai 
one user's authorized action on the at least one ileki or the appearance of the at leas- one field to 
thai one user, 

58. (Previously Presented) The system of claim 1, wherein the entitlements of the 
plurality of users are dynamically configurable without the need to have a specific user to sign-off 
and sign-on again. 

50 { Previously Piesemed) fhe s> stern of darns 1, ^herom 
the one of the u>se?s ?s an on^nv : 7atr:n. and 

the second data specifies entitlements of me organisation to access one or more factious 
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of the particular software application ainl entitlements of a role of the organization to access at 
least one of the one 01 more functions of tlte par-icular soilware application that the organisation 
is entitled to access; and 

3 least one iadis-idual user of the organization is assignable to the role. 

60, (Cancelled) 



